[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: working for wheezy-security until wheezy-lts starts

On 2016-03-01, Mike Gabriel <sunweaver@debian.org> wrote:
> @Security Team: Shall we (LTS contributors) handle wheezy-security  
> updates like described below until Debian wheezy LTS comes into play?
>    o Pick a package that has open CVE issues in wheezy, e.g. from 
>      above list
>    o Add the package to data/dsa-needed.txt, if not already there:
>      - packages with issues to be solved in wheezy only, should be
>        suffixed with "/oldstable" (i.e., gosa/oldstable)
>      - packages with issues in jessie and wheezy, should probably
>        just be added by the package name (without suffix), right?
> From then on, the workflow can be the same workflow as used for
> normal security updates (as already described earlier in this
> thread):
>    o Fix the issue in the package (grab the current package from  
>       oldstable's archive).
>    o Test your fixes.
>    o Provide a .debdiff to
>      team@security.debian.org and to the
>      Debian bug, if any related bug exists.
>    o Wait for feedback from the release team on how to proceed.
>    o As a courtesy, you could check the same package in jessie and
>      see if the fix for oldstable is easily forward-portable. Thus,
>      maybe providing a jessie-security .debdiff for the package can
>      be an option.
> The removal of the entry placed into data/dsa-needed.txt should then
> be handled by the Security Team, once the fixed package version has
> been uploaded.  More Feedback?  Mike

Looking good to me; we can refine the process incrementally, if need

Thanks a lot for the help,


Reply to: